The Hacker News — Cyber Security, Hacking, Technology News

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.

Dubbed "Cherry Blossom," the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project.

"An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." a leaked CIA manual reads.

"The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection," WikiLeaks says.

According to Wikileaks, CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks and then perform man-in-the-middle attacks to monitor and manipulate the Internet traffic of connected users.

Once it takes full control on the wireless device, it reports back to CIA controlled command-and-control server referred as 'CherryTree,' from where it receives instructions and accordingly perform malicious tasks, which include:

Injecting malicious content into the data stream to fraudulently deliver malware and compromise the connected systems

Setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation

Copying of the full network traffic of a targeted device

According to an installation guide, the CherryTree C&C server must be located in a secure sponsored facility and installed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.

Cherry Blossom Hacks Wi-Fi Devices from Wide-Range of Vendors

Cherry Blossom can exploit vulnerabilities in hundreds of Wi-Fi devices (full list here) manufactured by the following vendors:

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped an alleged CIA project, dubbed Pandemic, that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

The tool is a persistent implant for Microsoft Windows machines that has been designed to infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.

Since March, the whistleblowing group has published 11 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

Athena – a CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.

AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.

Archimedes– a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).

Scribbles– a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.

Grasshopper– reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.

Dark Matter– focused on hacking exploits the agency designed to target iPhones and Macs.

Weeping Angel– spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.

Year Zero– dumped CIA hacking exploits for popular hardware and software.

The United States' trade watchdog has sued Taiwan-based D-link, alleging that the lax security left its products vulnerable to hackers.

The Federal Trade Commission (FTC) filed a lawsuit (pdf) against D-Link on Thursday, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.

The move comes as cyber criminals have been hijacking poorly secured internet-connected devices to launch massive DDoS attacks that can force major websites offline.

Over two months back, a nasty IoT botnet, known as Mirai, been found infecting routers, webcams, and DVRs built with weak default passwords and then using them to DDoS major internet services.

The popular Dyn DNS provider was one of the victims of Mirai-based attack that knocked down the whole internet for many users.

To combat this issue, on the one hand, the popular networking equipment provider Netgear has launched a bug bounty program, inviting researchers and hackers to find and responsibly report security flaws in its hardware, mobile apps, and APIs for cash rewards ranging from $150 to $15,000.

But on the other hand, D-Link has been accused of several FTC Act violations, including:

Falsification about security in its router and IP camera user interfaces and promotional materials.

Falsely claiming that reasonable measures have been taken to protect its devices against well-known and easily preventable security flaws, like "hard-coded" user credentials and command injection flaws, which would allow any remote attacker to gain unauthorized access to its devices.

Failure to secure its software.

According to the complaint filed in San Francisco federal court, D-Link's insecure products allowed hackers to "monitor a consumer’s whereabouts to target them for theft or other crimes."

Several security researchers and hackers found serious flaws in D-Link products over the past year, and while some were satisfied with the company addressing the issue, others disclosed unpatched flaws due to its failure to release firmware updates in time.

In response to the complaint, D-Link released a statement saying that the charges brought against it are "unwarranted and baseless" and that the company will "vigorously defend itself."

The FTC "fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries," D-Link added.

Due to rise in the IoT threat, the Commission is taking desired steps to protect the Internet-of-Things devices.

The FTC introduced guidelines back in 2015 to (or "intending to") securing IoT devices, and recently it also launched a "prize competition" for public with the aim to find some technical solution for securing IoT devices. The winner of the contest will get $25,000 prize money.

Radio-based wireless keyboards and mice that use a special USB dongle to communicate with your PC can expose all your secrets – your passwords, credit card numbers and everything you type.

Back in February, researchers from the Internet of things security firm Bastille Networks demonstrated how they could take control of wireless keyboards and mice from several top vendors using so-called MouseJack attacks.

The latest findings by the same security firm are even worse.

Researchers have discovered a new hacking technique that can allow hackers to take over your wireless keyboard and secretly record every key you press on it.

Dubbed KeySniffer, the hack is death for millions of wireless, radio-based keyboards.

The keyboards from a surprising range of vendors, including Anker, EagleTec, General Electric, Hewlett-Packard, Insignia, Kensington, Radio Shack, and Toshiba, are vulnerable to KeySniffer.

This isn’t the first time researchers have targeted wireless keyboards. In 2015, a white hat hacker developed a cheap Arduino-based device, dubbed KeySweeper, which covertly logs, decrypts and reports back all keystrokes from Microsoft wireless keyboards.

Although KeySweeper was due to the weak encryption used by Microsoft, the KeySniffer discovery is different as in this case; manufacturers are actually making and selling wireless keyboards with no encryption at all.

One of the affected hardware makers, Kensington responded to this matter, saying that only a single version of its keyboards was affected by KeySniffer flaw and that a firmware update with AES encryption has been released.

Since there are millions of people who do use one of the wireless keyboards identified by Bastille Networks, it has been advised to you to either go back to the wires or at least switch to Bluetooth.

The radio-based wireless keyboards and mice are a good target for hackers. Two months back, the FBI also issued warning for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards.

If you are one of our readers who follow The Hacker News every update, you probably know that Public WiFi network is a security risk. But many people aren’t aware, including our great politicians.

Internet security provider F-Secure carried out an experimental hack against three prominent UK politicians and hacked into their accounts with the help of public Wi-Fi network.

To be very clear, all the three politicians – Rt. Hon. David Davis MP, Mary Honeyball MEP and Lord Strasburger – gave their consent to the recent exercise that focused on hacking into their devices using public, freely available Wi-Fi networks across London.

F-Secure teamed up with the penetration testing firm Mandalorian Security Services and the Cyber Security Research Institute to carry out the tests.

Despite holding major positions within the different parliaments, all three politicians admitted that they had "received no formal training or information about the relative ease" with which systems can be hacked while using insecure public Wi-Fi – which all the three said they use regularly.

Here are the Test Results:

Rt. Hon. David Davis MP HACKED!

The white hats stole email account password through public Wi-Fi and successfully broke into the email account of David Davis, Conservative MP for Haltemprice and Howden who is well known for his views on privacy and surveillance.

To underline the security risk, Mandalorian penetration tester left a draft email to the national press announcing his defection to UKIP. Moreover, his PayPal account was also compromised, as the account used the same password as his Gmail.

Here're Davis responds to the results: "Well, it is pretty horrifying, to be honest. What you have extracted was a very tough password, tougher than most people use. It is certainly not 'Password.'"

Mary Honeyball MEP HACKED!

Mary Honeyball MEP, who holds a seat on the EU committee responsible for the 'We love Wi-Fi' campaign, herself became a victim of a phishing attack.

Honeyball was browsing the Internet in a cafe when she received a message seemingly from Facebook inviting her to log again in to her account. She ended up giving her Facebook credentials to the ethical hacker, who then accessed her Facebook account.

Lord Strasburger HACKED!

Now let’s move on to Lib Dem peer Lord Strasburger. His Voice over IP (VoIP) call he made from his hotel was intercepted and recorded using freely available online software Wireshark.

"That's very worrying. This is very powerful equipment," Strasburger said. "The thought that a beginner could be up and running in a very few hours is really worrying. I think it proves that people (when they are using technology) need to know a lot more about it. In the end, they have to look after themselves, because it really is down to you, no one else is going to do it."

A Small but Effective Takeaway

The experiment on politicians demonstrates how easy it is to compromise and stole personal data of users relying on public Wi-Fi networks.

No doubt, the free Wi-Fi saves your mobile data and can keep you online while on roads, but they are far from secure.

I will not advise you to not to use public Wi-Fi networks, but protect your data using service like VPN (Virtual Private Network) that encrypts all your data traveling from your device to the network.

GoPro, the popular wearable high-definition camera manufacturer, has vulnerability in its official website that exposes usernames and passwords of thousand of its customers’ wireless network.

Action camera maker GoPro manufactures cameras which are compact, lightweight, rugged, and are wearable or mountable on vehicles. GoPro cameras capture still photos or video in HD through a wide-angle lens.

GoPro offers a mobile app to its users that gives you full remote control of all camera functions — take a photo, start/stop recording and adjust settings.

You need to connect to the wireless network operated by your camera, and the GoPro app gives you instant access to the GoPro Channel to view photos and play back videos, then share your favorites via email, text, Facebook, Twitter and more.

FLAW EXPOSES WIRELESS PASSWORD

Security researcher Ilya Chernyakovreported The Hacker News team that GoPro camera update mechanism could expose your wireless username and password to the hackers.

Recently, Chernyakov borrowed a GoPro camera from his friend, who forgot its GoPro password. So, he decided to recover the password of the camera by updating the camera firmware manually, as mentioned on the GoPro website.

In order to get camera update files, one needs to follow instruction available on the GoPro website. "It is pretty simple procedure, with Next -> Next -> Finish that ends up with a link, to a zip file. When you download this file, you get a zip archive which you supposed to copy to a SD card, put it in your GoPro and reboot the camera," he explained.

When he opened the archive rar file, he found a file named "settings.in", which contained the desired settings for the camera, including his wireless network’s name and password in plain text, as shown in the figure.

You need to notice the numeric characters (red bold) contained in the above archive URL, representing some sort of serial number referring particularly to Chernyakov’s camera.

COLLECTING THOUSANDS OF WIRELESS PASSWORDS

Chernyakov noticed that GoPro website is not using any kind of authentication for providing archive download for each customer and changing the numeric value +/- to any digit in the above URL can expose customized archive for other customers.

He wrote a python script to automatically download the file for all possible numbers in the same serial and collected more than thousands of wireless usernames and passwords, belonging to the GoPro customers, including his own.

Obviously, wireless password are of no use unless the attacker is not in the range of any targeted wireless network, but exposed username/password list could be used by attackers in a simple password dictionary brute-force attacks in various attacks.

Chernyakov reported the vulnerability to the company, but haven’t heard back from them. The affected list of customers could be wide as GoPro is the popular camera maker and the company recently reported fourth-quarter revenue of $634 Million, which was more than doubled the company’s third-quarter sales.

A Greek security researcher, named George Chatzisofroniou, has developed a WiFi social engineering tool that is designed to steal credentials from users of secure Wi-Fi networks.

The tool, dubbed WiFiPhisher, has been released on the software development website GitHub on Sunday and is freely available for users.

"It's a social engineering attack that does not use brute forcing in contrast to other methods. It's an easy way to get WPA passwords," said George Chatzisofroniou.

However, there are several hacking tools available on the Internet that can hack a secure Wi-Fi network, but this tool automates multiple Wi-Fi hacking techniques which make it slightly different from others.

WiFiPhisher tool uses "Evil Twin" attack scenario. Same as Evil Twin, the tool first creates a phony wireless Access Point (AP) masquerade itself as the legitimate Wi-Fi AP. It then directs a denial of service (DoS) attack against the legitimate Wi-Fi access point, or creates RF interference around it that disconnects wireless users of the connection and and prompts users to inspect available networks.

Once disconnected from the legitimate Wi-Fi access point, the tool then force offline computers and devices to automatically re-connects to the evil twin, allowing the hacker to intercept all the traffic to that device.

The technique is also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP. These kind of attacks make use of phony access points with faked login pages to capture users’ Wi-Fi credentials, credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

"WiFiPhisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase [and] does not include any brute forcing," Chatzisofroniou said. "WifiPhisher sniffs the area and copies the target access point's settings [and] creates a rogue wireless access point that is modeled on the target."

As soon as the victim requests any web page from the internet, WifiPhisher tool will serve the victim a realistic fake router configuration-looking page that will ask for WPA password confirmation due to a router firmware upgrade.

The tool, thus, could be used by hackers and cybercriminals to generate further phishing and man-in-the-middle attacks against connected users.

There is also criticism of the tool on several online discussion forums, because it would not be possible to set up a fake access point without a password.

"The tool is actually creating a second, unencrypted network. On Windows it will give you a warning that the configuration of the network has changed. On Android you'd have to manually reconnect to the unencrypted network. So their method doesn't automatically perform a man-in-the-middle attack," said one of the critics on Reddit.

Wifiphisher works on Kali Linux and is licensed under the MIT license. Users can download and install the tool on their Kali Linux distribution for free.

Network security practitioners rely heavily on intrusion detection systems (IDS) to identify malicious activity on their networks by examining network traffic in real time. IDS are available in Network (NIDS) and Host (HIDS) forms, as well as for Wireless (WIDS). Host IDS is installed via an agent on the system you are monitoring and analyzes system behavior and configuration status. Network IDS inspects the traffic between hosts to find signatures of suspicious behavior and anomalies. Wireless IDS identifies rogue network access points, unauthorized login attempts, encryption-level in use, and other anomalous behavior. There are many options for open source IDS tools if your budget for buying new tools is tight.

Asset inventory and vulnerability management go hand in hand with IDS. Knowing the role, function, and vulnerabilities of your assets will add valuable context to your investigations. AlienVault Unified Security Management (USM) includes IDS integrated with asset discovery and vulnerability scanning so you can quickly get all the information you need to respond to incidents.

AlienVault’s Network IDS shows you the overall status of your network for a management view:

Best practices for Network IDS:

Baselining or profiling normal network behavior is the first step for IDS deployment. Determining what’s “normal” for your network allows you to focus on anomalous and potentially malicious behavior. This saves you time and brings real threats to the surface quickly for remediation.

Placement of the IDS device is an important consideration. Most often it is deployed behind the firewall on the edge of your network. This gives the highest visibility but it also excludes traffic that occurs between hosts. The right approach is determined by your available resources. Start with the most obvious placement of the device, then over time you can provide additional IDS focus into less obvious areas. You should also consider having multiple IDS installations to cover intra-host traffic

You need to properly size your IDS installation by examining the amount of data that is flowing in BOTH directions where you wish to tap. Be sure to add overhead for future expansion.

False positives occur when your IDS alerts you to a threat that you know is innocuous. An improperly tuned IDS will generate an overwhelming number of false positives. Establishing a policy that removes known false positives will save time in future investigations and prevent unwarranted escalations. Tuning your IDS to report as few false positives as possible will make your life much easier, as you can focus on the more important issues with the least distraction possible.

AlienVault USM reduces false positives through the fidelity of its correlation rules. The AlienVault research team has a deep understanding of the data sources entering the correlation engine. This insight allows them to create accurate correlation rules based on actual behavior seen in the wild, as opposed to just guessing what you *might* have integrated like other products have to do. Furthermore, when alarms do occur, USM provides the rich context needed to make the determination of validity. You can spend less time swiveling in your chair from console to console, and focus on the incident.

The Alarm Taxonomy view in AlienVault USM allows you to quickly determine the priority of your investigations. Spend less time wondering what a Conficker or HeartBleed is and more time investigating infections or exploits.

Next, let’s look at best practices for Host IDS:

The default settings for which files to watch are not enough. The defaults for HIDS usually only monitor changes to the basic operating system files. They may not have awareness of applications you have installed or proprietary data you wish to safeguard.

Define what critical data resides on your assets and create policies to detect changes in that data

If your company uses custom applications, be sure to include the logs for them in your HIDS configuration

As with Network IDS, removing the occurrence of false positives is critical

Almost a year ago, at the ‘Hack In The Box’ security summit in Amsterdam, a security researcher at N.Runs and a commercial airline pilot, Hugo Teso presented a demonstration that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code.

Quite similar to the previous one, a security researcher claims to have devised a method that can give cyber criminals access to the satellite communications equipment on passenger jets through their WiFi and in-flight entertainment systems.

Cyber security expert Ruben Santamarta, a consultant with cyber security firm IOActive, will unveil his research and all the technical details this week at a major Las Vegas hacker convention, Black Hat conference, showing How commercial airliner satellite communication systems can also be compromised by hackers, along with the evidence of satellite communications system vulnerabilities that questions the standards these systems are using.

Santamarta research paper titled “SATCOM Terminals: Hacking by Air, Sea and Land” explains that ships, aircraft and industrial facilities are all at risk of being compromised — perhaps with catastrophic results.

“We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify or re-route traffic provides an invaluable opportunity to carry out attacks,” Santamarta wrote in his paper.

Till now, it’s just a claim, but if confirmed, could prompt a comprehensive restructure of aircraft security and other SATCOM terminals, and cast review on the way its electronic security have been managed in the past.

According to the researcher’s abstract of the talk made public, he will explain how devices sold by the world’s leading SATCOM vendors contain significant security flaws. IOActive also claimed to have determined that “100 percent of the devices could be abused” by an array of attack vectors.

"In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it." Santamarta wrote in the description to his talk. He told Reuters, "These devices are wide open. The goal of this talk is to help change that situation."

Many of SATCOM vendors systems have hardcoded log-in credentials — same credentials used in multiple systems — giving hackers potential to steal credentials from one system and use them to access other systems, as a result of it, hackers can disable the communications and can interfere with the plane’s navigation.

The researcher discovered the vulnerabilities by "reverse engineering" the highly specialized software known as firmware, used to operate communications equipment made by Cobham Plc, Harris Corp, EchoStar Corp's Hughes Network Systems, Iridium Communications Inc and Japan Radio Co Ltd.

Meanwhile, he discovered a theory that a hacker could leverage a plane's onboard Wi-Fi signal or in-flight entertainment system to hack into its avionics equipment. This could allow them to disrupt or modify the plane's satellite communications, potentially interfering with the aircraft's navigation and safety systems.

However, it is really important to note that just because a security researcher can perform the hack, doesn't mean hackers are doing it or can easily perform it, too. Santamarta has also acknowledged that his hacks proving the theory have been carried out in controlled test, and he is not sure how practical the hack would be in the real world.

Furthermore, in the abstract of his talk, we are not provided any technical details or any specific details of the exploit, so we are required to wait until Santamarta's presentation later this week.

Still, a good news for those companies that make such equipments is that the researcher plans to reveal all the possible details of the exploit in his presentation to help them fix the issues in their vulnerable equipment.